California Consumer Privacy Act: What FinServ Providers Need to Know

If you are a financial services provider located outside of California and think that this legislation won’t affect you, keep reading – I’ll address that shortly. In the meantime, did you know that financial services companies get attacked by cybercriminals over a BILLION times a year? As growing rates of data breaches and identity theft continue to take more than $16 billion from financial institutions (not to mention the damage that is done to their reputations), consumers are more concerned than ever about the privacy and security of their personally identifiable information (PII). As a result, a full 83% of Americans want the government to impose stricter regulations to protect their data privacy, which brings us to the highly anticipated California Consumer Privacy Act (CCPA).

The CCPA was signed into law in September 2018 and is tentatively slated to go into effect on January 1, 2020 (yes, just a few months away). Modeled in many ways upon the European Union’s General Data Protection Regulation (GDPR), the CCPA is designed to give the nearly 40 million people living in California more rights over how their personal information is gathered, shared, sold, and protected by the organizations they do business with.

What does the CCPA do?

The CCPA aims to provide California residents greater control over how their personal information is collected and used. It essentially gives them a right to request that a business disclose the personal information it has collected about them, as well as disclose any third parties with whom the business sells or shares their personal information. It also gives California residents the right to request the business not sell their personal information, and the right to have the business delete the PII it has collected on them.

Financial institutions and providers that must comply with the CCPA

As I mentioned, even if your financial institution is not located in California, the CCPA may still pertain to your business. The CCPA applies to any for-profit entity that both collects and processes the personal information of California residents. Therefore, your business doesn’t have to have a physical presence in the state of California – if your business meets one of the following criteria, you must comply with the regulation come January 1, 2020 (note that this is still a tentative date as the forthcoming regulation continues to be debated):

  • If your business generates annual gross revenue in excess of $25 million
  • If your business receives or shares personal information of more than 50,000 California residents annually
  • If your business derives at least 50% of its annual revenue by selling the personal information of California residents

What will happen if you don’t comply with the CCPA?

Financial services providers that meet one of the criteria above and fail to comply with the CCPA are subject to civil penalties of up to $2,500 per violation and $7,500 per intentional violation. More importantly, the law also provides California residents the right to sue a business if their personal information is “subject to unauthorized access and exfiltration, theft or disclosure” as a result of the organization’s failure to implement and maintain reasonable data security procedures and practices.

With such significant consequences at stake, businesses must begin preparing now.

How financial services providers can get ready for the CCPA

The best way to lessen the burden of compliance within your financial institution is to reduce the scope of the PII that you are handling from the start. Businesses can reduce the scope of compliance and mitigate the risk of a data breach by using solutions that keep PII out of the organization’s environment altogether – whether within voice or digital customer service channels, or even in-person.

Within the voice channel, solutions with dual-tone multi-frequency (DTMF) masking can ensure that consumers’ sensitive payment card information is never processed or stored in the organization’s network infrastructure. With DTMF masking, a consumer calling a customer service representative (CSR) to pay a bill, for example, can simply enter their payment card numbers into their telephone keypad rather than reading them aloud to the CSR on the line. The keypad tones (DTMF tones) are masked with flat tones so that they are indecipherable to the agent. This prevents the card information from being captured on call recording systems or heard by the CSR, who could potentially write the numbers down and use them later for fraudulent purchases.

Within digital channels, solutions that offer secure digital payment hyperlinks – sent via webchat, social media, email, SMS, QR codes, e-commerce, and m-commerce – create fast, easy and secure ways for consumers to make purchases or pay bills via these digital channels, all while keeping the transactions and the associated sensitive data out of the scope of compliance.


By reducing the amount and type of data on hand that is subject to the CCPA, financial services providers can dramatically reduce the costs and complexities associated with meeting and maintaining compliance. Most importantly, it makes the organization a much less attractive target for cybercriminals and hackers.

If your institution finds itself qualified to comply with the CCPA, you will find that many of the processes outlined above, along with descoping technologies, will help streamline your efforts. Even though this new regulation may require some heavy lifting, it is here to protect not only your customers but also your business from running the risk of experiencing a costly and potentially reputation-damaging data breach.